Math Analysis

Classic buffer overflow.

Problem

Congratulations, you've graduated from letters! Now, let's move on to numbers.

From the BCA Course Catalog:

Analysis I includes linear and quadratic functions, polynomials, inequalities, functions, exponential and logarithmic functions, conic sections, and geometry.

That's a lot of cool stuff! I think you'll have tons of fun learning about functions in this class!

Solution

This is a classic buffer overflow with a win function.

char response[50];

setbuf(stdout, NULL);
setbuf(stdin, NULL);
setbuf(stderr, NULL);

puts("It's math time, baby!");
puts("WOOO I love my numbers and functions and stuff!!");
printf("For example, here's a number: %d.\n", cheat);
puts("What do you think about that wonderful number?");
printf("> ");
gets(response);

We want to jump here:

void cheat() {
    FILE *fp = fopen("flag.txt", "r");
    char flag[100];

    if (fp == NULL) {
        puts("Hmmm... I can't find my answers.");
        puts("That's not good, but at least it means you can't cheat!");
        puts("[If you are seeing this on the remote server, please contact admin].");
        exit(1);
    }

    fgets(flag, sizeof(flag), fp);
    puts(flag);
}

I've been writing my own tool for challenges like this, and I'm glad it worked! The general steps are still the same, though - using a cyclic pattern to find the RIP offset, then overwriting the return value to the win function.

Using the payload, we get the flag from the remote server.

PreviousAdvanced Math Analysis NextAmerican Literature

Last updated 4 years ago